Anvilogic Forge Threat Research Reports
Here you can find an accumulation of trending threats published weekly by the Anvilogic team.
We curate threat intelligence to provide situational awareness and actionable insights
Atomic detections that serve as the foundation of our detection framework.
Risk, pattern, and sequence-based detections utilizing the outputs of Threat Identifiers as a means of identifying actual threats.
• Threat News Reports
• Trending Threat Reports
• ResearchArticles
Forge Report: First Half Threat Trends of 2024
Featured Threat Reports
All Threat Reports
Twisted Panda Campaign Targets Russian Defense Institutions
CheckPoint reports the Twisted Panda campaign by APT10 and Mustang Panda targeting Russian defense institutions since June 2021. Phishing emails with malicious documents lead to the SPINNER backdoor, which collects system information, exfiltrates files, downloads payloads, and runs OS commands. The campaign focuses on entities within Rostec Corporation.
Phishing with Chatbots
Phishing scams are now using chatbots to improve authenticity and steal credentials. Trustwave and BleepingComputer observed DHL-themed phishing emails that lead to webchats, deceiving victims into providing personal and payment information, including one-time passcodes, under the guise of re-processing undelivered packages due to damaged labels.
iPhone Chip Low-Power Mode (LPM) Security Issue
Researchers at Germany's Technical University of Darmstadt have discovered a security issue in Apple's iPhone chips related to Low-Power Mode (LPM). The Bluetooth chip, which remains active for up to 24 hours after the device is powered off, lacks mechanisms for digitally signing or encrypting firmware. This vulnerability, which persists due to hardware limitations, could allow attackers to exploit the device and launch malicious firmware. The risk is not easily solvable with system updates and has a long-lasting effect on iOS security. Apple has not yet responded to the findings.
Conti & Its Subsidiary Group Blackbyte
AdvIntel's extensive research on the Conti ransomware group delves into its subsidiary group Blackbyte, which, along with the data extortion group Karakurt, supports Conti's operations. The relationship between Conti and Blackbyte was investigated following the San Francisco 49ers data breach on February 13th, 2022. Security news outlets initially pointed to Blackbyte as the attacker, but AdvIntel identified Conti as the true perpetrator, using Blackbyte as a shell group. The breach began on December 14th, 2021, with Cobalt Strike commands targeting the 49ers' network, compromising the primary domain and accessing finance and accounting sectors. AdvIntel notes a trend of ransomware groups creating sub-divisions for data exfiltration without encryption. Conti's alliances extend to HelloKitty/FiveHands, Babuk, HiVE, BlackCat/ALPHV, and AvosLocker. Future predictions suggest ransomware groups will continue to spawn business derivatives for smaller operations. Detection techniques for Blackbyte emphasize Rclone, Cobalt Strike, Metasploit, and PowerShell commands.
Cryware
Microsoft's latest research investigates the rise of Cryware, a malware targeting hot wallets (non-custodial cryptocurrency wallets). Cryware exploits locally stored data on a user's device to steal information such as private keys, seed phrases, and wallet addresses. This information allows attackers to initiate crypto transactions without the victim's consent, leveraging the irreversible nature of blockchain transactions to ensure the victim cannot recover their funds. Attackers use various techniques, including memory dumping, keylogging, exfiltrating wallet storage files, and clipping and switching. The latter technique monitors clipboard contents and replaces copied wallet addresses with the attacker's address, redirecting funds to the attacker.
Cisco Talos & BlackByte Ransomware Group
Cisco Talos has identified significant activity from the BlackByte ransomware group, which targets victims worldwide, including in North America, Colombia, the Netherlands, China, Mexico, and Vietnam. The group typically gains initial access by exploiting vulnerabilities in Microsoft Exchange (such as ProxyShell) or SonicWall VPN. A documented intrusion in March 2022 began with a BAT script executing and installing AnyDesk, followed by the creation of a new account for persistence. The attackers then tampered with system services, modified the registry, and created firewall rules to deploy the BlackByte ransomware, achieving encryption within 17 hours. Common attack patterns include the use of AnyDesk software and living-off-the-land binaries (LoLBins).
.png)
Intelligence Levels for Threat Reports
Tactical
Detectable threat behaviors for response with threat scenarios or threat identifiers.
Strategic
General information security news, for awareness.
.png)
Whitepapers
The World's Best SOC Teams Use Anvilogic
.png)
.svg)
.svg)
.svg)
.svg)
.svg)
